In the compliance world—especially as it relates to deal-making and neutralizing corruption—due diligence is risk assessment commandment. 

When, however, is enhanced due diligence warranted? 

What motivates firms to decide if a third party should undergo an even stricter, more refined level of scrutiny? What are the costs and challenges?

The importance of enhanced due diligence is borne out in results from the recently completed Compliance Week survey on anti-bribery and corruption, conducted in conjunction with Refinitiv.

The pitch for an EDD program is a straightforward one: No enhanced due diligence investigation is ever the same. By undertaking a detailed review of new and existing customers and third parties, you can help guard against reputation and regulatory risk.

Nearly 90 percent of respondents to the survey said they put at least some of their third parties through these enhanced reviews with an eye toward safeguarding their reputations and complying with both foreign and domestic legal demands. The goal: reducing uncertainty and risk and making more informed, safe, and profitable business decisions.

Among the questions asked in the survey: “What percentage of your third parties undergo enhanced due diligence?”

A mere 13.25 percent said they do no such added screening. That same percentage indicated they put 50 percent of their third parties through enhanced due diligence. About 53 percent of those surveyed performed EDD on less than 1 in 4 vendors and about 20 percent put more than half of their third parties through enhanced vetting.

What were the biggest challenges firms face at the enhanced due diligence stage of their screening process? Responses (from 166 compliance professionals surveyed) included cost of enhanced checks (30.7 percent); lack of knowledge (31.3 percent); delivery time (16.9 percent); and data security (14.5 percent).

Chart1-FirstStory

On a scale of 1-5 (where five was the strongest), respondents were asked which factors weighed heaviest in their decision on whether enhanced due diligence was needed. Top answers included geographical risk, political risk, industry-related risk, past behavior, and the importance of the third party to the business.

To grasp when enhanced due diligence—increased screening and analysis of otherwise standard data collection—is necessary, we turned to Kevin Bogdanov, director of market development – risk, Americas, for Refinitiv’s customer and third-party risk management business. He is currently exploring how data, technology, automation, and AI will disrupt and redefine of Know-Your-Customer and third-party risk compliance.

“Enhanced due diligence really just fulfills a role within a certain stage of the due-diligence cycle,” he says. “You’ve got a risk assessment that your company will usually leverage and using that assessment you will determine what is risky for your business, in terms of cyber-security, inquests, bribery, corruption, or whatever. So, off the back of that, you might want to determine where there might be heightened exposure that requires greater due diligence to make sure that you really go out to those problematic areas.”

“These are just a couple of examples,” he adds. “But if any of these criteria or a combination of these criteria exist, then that is going to necessitate a greater level of due diligence. You would ideally have a risk matrix and risk assessment from the onset to determine what matters to you in terms of where your risk is and then, if any of those criteria are established in the available data, you would obviously go ahead and warrant some deeper diligence.”

Steadfast supervision

Once committed to that process, does enhanced due diligence retain a given life span? The answer: “sort of.”

“There is a process here, an end process, ideally,” Bogdanov says. “Obviously, you can’t sort of screen, or take your diligence at a point in time, and assume that nothing changes. However, if you just look at a couple of examples of things that can change—ownership structures, loans, joint ventures, new product lines, and new markets that the businesses will enter—any one of these changes may be a trigger. Another big one is mergers and acquisitions.”

Chart2FirstStory

“Any of these types of changes will fundamentally upend in the level of risk and the type of risk that is inherent in a third party. So, what you need to do is you need to establish a cadence and framework for continuous monitoring of those parties.”

Most probably won’t need to do a refresh that often, because it would likely be classified low risk—unless some other factors elevate it. “Whereas if you have a high-risk entity and high-risk part of the world, maybe you might need to do the refresh as often as every year, for example,” he says. “You will, however, probably need to go and again issue a questionnaire and more than likely undertake independent analysis or leverage your data sources. You could look at changes in the media landscape, as there may be some sort of media article outlining potential hazards.”

“A firm may also want to create real-time alerting around changes in ownership structure, or new flags in a high-risk database.”

There is, nearly all experts warn, a cost to enhanced due diligence. To screen somebody in a database might cost you $1 a record or more. So there is a risk in thinking enhanced due diligence is always going to be better. Sometimes, it’s overkill.

“We have definitely seen over-screening and over-due diligence,” Bogdanov says. “It works equally on both ends of the spectrum. You need to have established the right framework and the right risk threshold upfront.”